On Wed, May 9, 2012 at 6:28 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, May 09, 2012 at 06:23:30PM +0200, Sasha Levin wrote: >> On Wed, May 9, 2012 at 6:12 PM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: >> > On Wed, May 09, 2012 at 05:25:14PM +0200, Sasha Levin wrote: >> >> Hi all, >> >> >> >> I've started seeing the following warning while fuzzing inside a KVM guest with the latest -next: >> > ? ? ? ?It's not a realistic attack, fortunately, since you need root >> > to get past open_exec() on any of those... ?Wait. ?How _did_ you get >> > past open_exec(), anyway? ?MAY_EXEC is not supposed to be granted on >> > anything that has no exec bits at all and AFAICS none of those files >> > have them. >> >> You could chmod +x and run them, no? > > Can't. proc_setattr() will give you -EPERM and refuse to do anything > if you call it with ATTR_MODE in ->ia_valid. If we look at /proc/irq/*/smp_affinity, which uses seq file ops, we can do this: sh-4.2# ls -al /proc/irq/5/smp_affinity -rw------- 1 root 0 0 May 9 16:35 /proc/irq/5/smp_affinity sh-4.2# chmod +x /proc/irq/5/smp_affinity sh-4.2# ls -al /proc/irq/5/smp_affinity -rwx--x--x 1 root 0 0 May 9 16:35 /proc/irq/5/smp_affinity sh-4.2# /proc/irq/5/smp_affinity /proc/irq/5/smp_affinity: line 1: 1f: command not found There are quite a lot of files under /proc that let me do that. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
